RedSun: Windows 0day when Defender becomes the attacker

## Executive summary This report describes "RedSun", a reliable local privilege escalation exploit that leverages a missing reparse-point validation in Windows Defender's remediation path (MpSvc.dll / MsMpEng.exe). By combining Cloud Files placeholders, a batch OPLOCK timing window, VSS snapshot detection, and a junction point swap, an unprivileged user can cause Defender to write an attacker-controlled binary into C:\Windows\System32 and trigger it via the Storage Tiers COM server, yielding SYSTEM-level code execution on fully patched Windows systems. The document includes a detailed code-path analysis, detection/mitigation recommendations, and notes that no patch was available at time of writing.